SSL mirroring allows the FortiGate to decrypt and mirror traffic to a designated port. Previously, this was supported in flow mode. Support for proxy mode has been added. A new decrypted traffic mirror profile can be applied to IPv4, IPv6, and explicit proxy firewall policies. Full SSL inspection must be used in the policy for the traffic mirroring to occur.
When upgrading to FortiOS 6.4.0, the
- Go to Policy & Objects and create a new policy, or edit an existing one. This example uses a firewall policy.
- In the policy settings, ensure the following are configured:
- The Inspection Mode is set to Proxy-based.
- The SSL Inspection profile uses Full SSL Inspection (if needed, click the pencil icon next to the dropdown to view the inspection profile settings).
- Click Agree.
- Beside the toggle, click Create to configure a new decrypted traffic mirror and adjust the settings as needed. In this example, the client is the decryted traffic source and port3 is the interface.
- Click OK to save the traffic mirror settings.
- Click OK to save the policy settings.
- Create the decrypted traffic mirror profile:
config firewall decrypted-traffic-mirror edit SSL-to-port3 set dstmac ff:ff:ff:ff:ff:ff set traffic-type ssl set traffic-source client set interface port3 next end
- Configure the policy to enable SSL traffic mirroring:
config firewall policy edit 1 set inspection-mode proxy set ssl-ssh-profile deep-inspection set decrypted-traffic-mirror SSL-to-port3 THIS IS A LEGALLY BINDING AGREEMENT BETWEEN YOU, THE USER AND ITS ORGANIZATION ("CUSTOMER"), AND FORTINET. BEFORE YOU CONTINUE WITH THE TERMS AND CONDITIONS OF THIS CONTRACT (THE "FEATURE ENABLEMENT") CAREFULLY READ THE TERMS AND CONDITIONS OF THIS AGREEMENT. BY ENTERING YES, YOU, AS AN AUTHORIZED REPRESENTATIVE ON BEHALF OF CUSTOMER, CONSENT TO BE BOUND BY AND BECOME A PARTY TO THIS AGREEMENT ("AGREEMENT") AND YOU REPRESENT THAT YOU HAVE READ AND UNDERSTAND THIS AGREEMENT AND HAVE HAD SUFFICIENT OPPORTUNITY TO CONSULT WITH COUNSEL, PRIOR TO AGREEING TO THE TERMS HEREIN AND ENABLING THIS FEATURE. IF YOU HAVE ANY QUESTIONS OR CONCERNS, OR DESIRE TO SUGGEST ANY MODIFICATIONS TO THIS AGREEMENT, PLEASE CONTACT YOUR FORTINET SUPPORT REPRESENTATIVE TO BE REFERRED TO FORTINET LEGAL. IF YOU DO NOT AGREE TO ALL OF THE TERMS OF THIS AGREEMENT, DO NOT CONTINUE WITH THE ACCEPTANCE PROCESS. BY ACCEPTING THE TERMS AND CONDITIONS HEREIN, CUSTOMER HEREBY AGREES THAT: 1. Customer represents and warrants that Customer, not Fortinet, is engaging this feature. 2. Customer represents and warrants that Customer has provided the requisite notice(s) and obtained the required consent(s) to utilize this feature. 3. Customer represents and warrants that Customer will only access data as necessary in a good faith manner to detect malicious traffic and will put in place processes and controls to ensure this occurs. 4. Customer represents and warrants that Customer has the right to enable and utilize this feature, and Customer is fully in compliance with all applicable laws in so doing. 5. Customer shall indemnify Fortinet in full for any of the above certifications being untrue. 6. Customer shall promptly notify Fortinet Legal in writing of any breach of these Terms and Conditions and shall indemnify Fortinet in full for any failure by Customer or any of its employees or representatives to abide in full by the Terms and Conditions above. 7. Customer agrees that these Terms and Conditions shall be governed by the laws of the State of California, without regards to the choice of laws provisions thereof and Customer hereby agrees that any dispute related to these Terms and Conditions shall be resolved in Santa Clara County, California, USA, and Customer hereby consents to personal jurisdiction in Santa Clara County, California, USA. Do you want to continue? (y/n)y next end